[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Dec 28 21:38:02 MST 2011
The branch, master has been updated
via c2d6509 s4-gensec remove auth_session dep from gensec_gssapi.c
via 3f5d30c s4-gensec Remove fallback for simple privileges
via fe693e9 s4-torture: Demonstrate handling of the PAC in a custom auth_context
via 502140a s4-gensec: Pass the auth context in during gensec test
via 2ee67e3 s4-pyauth: Make sure event context allows nesting
from 149f8f1 s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c2d6509c0b33cb202b0868d085f5c5c3606fccc6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 29 12:15:42 2011 +1100
s4-gensec remove auth_session dep from gensec_gssapi.c
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Thu Dec 29 05:37:11 CET 2011 on sn-devel-104
commit 3f5d30c8cb98b855e349e794fe224f10f8af1c10
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 29 12:00:21 2011 +1100
s4-gensec Remove fallback for simple privileges
This makes the dependencies simpler, as this code path is no longer
required. (That is, it makes no sense to have an NTLM login without
an auth context, and the gensec_gssapi and gensec_krb5 modules call
the PAC blob function below instead).
Andrew Bartlett
commit fe693e9148cdd9faf3525289a97373a5989e5416
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 29 11:46:41 2011 +1100
s4-torture: Demonstrate handling of the PAC in a custom auth_context
This demonstrates how a different function pointer can be supplied
to handle the PAC blob, without depending on the provisioned samdb etc.
Andrew Bartlett
commit 502140a6ff1bae3a81f79c7753da8ca69b440d1c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 29 13:51:55 2011 +1100
s4-gensec: Pass the auth context in during gensec test
commit 2ee67e37c239f303351eb80917d9c68334ce26ac
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 29 13:51:17 2011 +1100
s4-pyauth: Make sure event context allows nesting
-----------------------------------------------------------------------
Summary of changes:
source4/auth/gensec/gensec_util.c | 70 ++------------------
source4/auth/gensec/wscript_build | 4 +-
source4/auth/pyauth.c | 3 +-
source4/scripting/python/samba/tests/gensec.py | 5 +-
source4/torture/rpc/remote_pac.c | 83 +++++++++++++++++++++++-
5 files changed, 93 insertions(+), 72 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/gensec/gensec_util.c b/source4/auth/gensec/gensec_util.c
index fa28c65..d767f90 100644
--- a/source4/auth/gensec/gensec_util.c
+++ b/source4/auth/gensec/gensec_util.c
@@ -26,9 +26,6 @@
#include "auth/auth.h"
#include "auth/credentials/credentials.h"
#include "auth/system_session_proto.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
-#include "auth/kerberos/kerberos_util.h"
NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
@@ -53,12 +50,8 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
session_info_flags,
session_info);
} else {
- session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
- nt_status = auth_generate_session_info(mem_ctx,
- NULL,
- NULL,
- user_info_dc, session_info_flags,
- session_info);
+ DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
+ return NT_STATUS_INTERNAL_ERROR;
}
return nt_status;
}
@@ -71,12 +64,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out,
const struct tsocket_address *remote_address,
struct auth_session_info **session_info)
{
- NTSTATUS nt_status;
uint32_t session_info_flags = 0;
- TALLOC_CTX *mem_ctx;
- struct auth_user_info_dc *user_info_dc;
- struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
- struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
@@ -94,7 +82,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out,
principal_string));
}
- if (gensec_security->auth_context) {
+ if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
mem_ctx_out,
smb_krb5_context,
@@ -103,54 +91,8 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out,
remote_address,
session_info_flags,
session_info);
- } else if (!pac_blob) {
- DEBUG(0, ("Cannot generate a session_info without either the PAC or the auth_context\n"));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
- NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
-
- pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
- if (!pac_srv_sig) {
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
- if (!pac_kdc_sig) {
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
- *pac_blob,
- smb_krb5_context->krb5_context,
- &user_info_dc,
- pac_srv_sig,
- pac_kdc_sig);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return nt_status;
- }
-
- session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
- nt_status = auth_generate_session_info(mem_ctx_out,
- NULL,
- NULL,
- user_info_dc, session_info_flags,
- session_info);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return nt_status;
- }
-
- if ((*session_info)->torture) {
- (*session_info)->torture->pac_srv_sig
- = talloc_steal((*session_info)->torture, pac_srv_sig);
- (*session_info)->torture->pac_kdc_sig
- = talloc_steal((*session_info)->torture, pac_kdc_sig);
+ } else {
+ DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
+ return NT_STATUS_INTERNAL_ERROR;
}
-
- talloc_free(mem_ctx);
- return nt_status;
}
diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
index a4c5685..e298954 100644
--- a/source4/auth/gensec/wscript_build
+++ b/source4/auth/gensec/wscript_build
@@ -2,14 +2,14 @@
bld.SAMBA_SUBSYSTEM('gensec_util',
source='socket.c gensec_tstream.c gensec_util.c',
- deps='tevent-util tevent samba-util LIBTSOCKET KERBEROS_UTIL',
+ deps='tevent-util tevent samba-util LIBTSOCKET',
autoproto='gensec_proto.h')
bld.SAMBA_MODULE('gensec_krb5',
source='gensec_krb5.c',
subsystem='gensec',
init_function='gensec_krb5_init',
- deps='samba-credentials authkrb5 auth_session com_err gensec_util',
+ deps='samba-credentials authkrb5 com_err gensec_util',
internal_module=False,
)
diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c
index 08ce9d3..f448a44 100644
--- a/source4/auth/pyauth.c
+++ b/source4/auth/pyauth.c
@@ -30,6 +30,7 @@
#include "auth/credentials/pycredentials.h"
#include <tevent.h>
#include "librpc/rpc/pyrpc_util.h"
+#include "lib/events/events.h"
void initauth(void);
@@ -245,7 +246,7 @@ static PyObject *py_auth_context_new(PyTypeObject *type, PyObject *args, PyObjec
lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
- ev = tevent_context_init(mem_ctx);
+ ev = s4_event_context_init(mem_ctx);
if (ev == NULL) {
PyErr_NoMemory();
return NULL;
diff --git a/source4/scripting/python/samba/tests/gensec.py b/source4/scripting/python/samba/tests/gensec.py
index ddca0df..53e2292 100644
--- a/source4/scripting/python/samba/tests/gensec.py
+++ b/source4/scripting/python/samba/tests/gensec.py
@@ -24,7 +24,7 @@ the functionality, that's already done in other tests.
"""
from samba.credentials import Credentials
-from samba import gensec
+from samba import gensec, auth
import samba.tests
class GensecTests(samba.tests.TestCase):
@@ -56,7 +56,8 @@ class GensecTests(samba.tests.TestCase):
self.gensec_client.want_feature(gensec.FEATURE_SEAL)
self.gensec_client.start_mech_by_sasl_name("GSSAPI")
- self.gensec_server = gensec.Security.start_server(self.settings)
+ self.gensec_server = gensec.Security.start_server(settings=self.settings,
+ auth_context=auth.AuthContext(lp_ctx=self.lp_ctx))
creds = Credentials()
creds.guess(self.lp_ctx)
creds.set_machine_account(self.lp_ctx)
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 22fcd73..aca5187 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -42,6 +42,71 @@
#define TEST_MACHINE_NAME_S2U4SELF_BDC "tests2u4selfbdc"
#define TEST_MACHINE_NAME_S2U4SELF_WKSTA "tests2u4selfwk"
+/* A helper function which avoids touching the local databases to
+ * generate the session info, as we just want to verify the PAC
+ * details, not the full local token */
+static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx_out,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS nt_status;
+ struct auth_user_info_dc *user_info_dc;
+ struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
+ struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
+ TALLOC_CTX *mem_ctx;
+
+ mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ if (!pac_srv_sig) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ if (!pac_kdc_sig) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
+ *pac_blob,
+ smb_krb5_context->krb5_context,
+ &user_info_dc,
+ pac_srv_sig,
+ pac_kdc_sig);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(mem_ctx);
+ return nt_status;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+ nt_status = auth_generate_session_info(mem_ctx_out,
+ NULL,
+ NULL,
+ user_info_dc, session_info_flags,
+ session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(mem_ctx);
+ return nt_status;
+ }
+
+ if ((*session_info)->torture) {
+ (*session_info)->torture->pac_srv_sig
+ = talloc_steal((*session_info)->torture, pac_srv_sig);
+ (*session_info)->torture->pac_kdc_sig
+ = talloc_steal((*session_info)->torture, pac_kdc_sig);
+ }
+
+ talloc_free(mem_ctx);
+ return nt_status;
+}
+
/* Check to see if we can pass the PAC across to the NETLOGON server for validation */
/* Also happens to be a really good one-step verfication of our Kerberos stack */
@@ -73,6 +138,7 @@ static bool test_PACVerify(struct torture_context *tctx,
enum ndr_err_code ndr_err;
+ struct auth4_context *auth_context;
struct auth_session_info *session_info;
struct dcerpc_binding_handle *b = p->binding_handle;
@@ -85,6 +151,11 @@ static bool test_PACVerify(struct torture_context *tctx,
return false;
}
+ auth_context = talloc_zero(tmp_ctx, struct auth4_context);
+ torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
+
+ auth_context->generate_session_info_pac = test_generate_session_info_pac;
+
status = gensec_client_start(tctx, &gensec_client_context,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
@@ -99,7 +170,7 @@ static bool test_PACVerify(struct torture_context *tctx,
status = gensec_server_start(tctx,
lpcfg_gensec_settings(tctx, tctx->lp_ctx),
- NULL, &gensec_server_context);
+ auth_context, &gensec_server_context);
torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
status = gensec_set_credentials(gensec_server_context, credentials);
@@ -407,6 +478,7 @@ static bool test_S2U4Self(struct torture_context *tctx,
struct gensec_security *gensec_client_context;
struct gensec_security *gensec_server_context;
+ struct auth4_context *auth_context;
struct auth_session_info *kinit_session_info;
struct auth_session_info *s2u4self_session_info;
struct auth_user_info_dc *netlogon_user_info_dc;
@@ -422,6 +494,11 @@ static bool test_S2U4Self(struct torture_context *tctx,
torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
+ auth_context = talloc_zero(tmp_ctx, struct auth4_context);
+ torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
+
+ auth_context->generate_session_info_pac = test_generate_session_info_pac;
+
/* First, do a normal Kerberos connection */
status = gensec_client_start(tctx, &gensec_client_context,
@@ -438,7 +515,7 @@ static bool test_S2U4Self(struct torture_context *tctx,
status = gensec_server_start(tctx,
lpcfg_gensec_settings(tctx, tctx->lp_ctx),
- NULL, &gensec_server_context);
+ auth_context, &gensec_server_context);
torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
status = gensec_set_credentials(gensec_server_context, credentials);
@@ -495,7 +572,7 @@ static bool test_S2U4Self(struct torture_context *tctx,
status = gensec_server_start(tctx,
lpcfg_gensec_settings(tctx, tctx->lp_ctx),
- NULL, &gensec_server_context);
+ auth_context, &gensec_server_context);
torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
status = gensec_set_credentials(gensec_server_context, credentials);
--
Samba Shared Repository
More information about the samba-cvs
mailing list